asa1(config)# crypto ca authenticate PKI-TRUSTPOINT
INFO:Certificate has the following attributes:Fingerprint:189320f0 b503496c f8b738d6 d096878e
Do you accept this certificate?[yes/no]: yes
Trustpoint CA certificate accepted.
asa1(config)# crypto ca enroll PKI-TRUSTPOINT%%Start certificate enrollment ..%Create a challenge password.You will need to verbally provide this
password to the CA Administratorin order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:********Re-enter password:********%The fully-qualified domain name in the certificate will be: asa1.test.com
%Include the device serial number in the subject name?[yes/no]:noRequest certificate from CA?[yes/no]: yes
%Certificate request sent to CertificateAuthority
asa1(config)# The certificate has been granted by CA!
asa1(config)#

I will continue working on this case and I will update the post till the tunnel comes up.

….day later

I continued working on this problem and now I’m almost sure the
solution is not supported by Cisco. By solution I mean: ‘ASA & ikev2
& local CA’. I will test it with Windows CA in next few days. Now
let’s see what is the last test result.
I changed the configuration on both devices:

The last error message is very vague: “Failed to verify signature”.
It could explain why on R1 I see ikev2 and ipsec tunnels but not on ASA.
It looks like R1 ‘thinks’ the session is set up properly but ASA drop
the tunnel based on last failure.

“The recommended IPSec interface on IOS is a Virtual Tunnel Interface
(VTI), which creates a generic routing encapsulation (GRE) interface
that is protected by IPsec. For a VTI, the Traffic Selector (what
traffic should be protected by the IPSec security associations (SA)),
consists of GRE traffic from the tunnel source to the tunnel
destination. Because the ASA does not implement GRE interfaces, but
instead creates IPSec SAs based on traffic defined in an access control
list (ACL), we must enable a method that allows the router to respond to
the IKEv2 initiation with a mirror of the proposed traffic selectors.
The use of Dynamic Virtual Tunnel Interface (DVTI) on the FlexVPN router
allows this device to respond to the presented Traffic Selector with a
mirror of the Traffic Selector that was presented.”